search for: load_polici

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1212807

This is continuing/summarising a rather long discussion that happened on IRC ... We talked to some SELinux experts about what was required to make SELinux work with libguestfs, and it seems reasonably simple to load the policy from the guest filesystem. All that needs to be done is to mount the guest disks up and then run: sh "/usr/sbin/load_policy -i" That command also mounts up

--- customize/customize_run.ml | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/customize/customize_run.ml b/customize/customize_run.ml index 0f1d72a..cd4616c 100644 --- a/customize/customize_run.ml +++ b/customize/customize_run.ml @@ -338,15 +338,19 @@ exec >>%s 2>&1 if ops.flags.selinux_relabel then ( msg (f_"SELinux

Do SELinux relabelling properly.

On Tue, Jan 21, 2014 at 12:01:45PM -0500, R P Herrold wrote: > (5) it can do an additional step at very end of the post > install: > restorecon -R / This doesn't work on its own. I suspect this would work: load_policy && restorecon -R / except it gives an error for me: SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for

Hi guys, I followed this article to install my first xen project to compare its CPU/memory and I/O performance with a kvm domain on CentOS 6.4. http://www.virtuatopia.com/index.php/Building_a_Xen_Virtual_Guest_Filesystem_on_a_Disk_Image_%28Cloning_Host_System%29 In the initial tests whit super.pi benchmarck the CPU performance of my xen domai was extremely worst than my kvm domain. Well, I am

[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment

Since it is available only in OCaml >= 4.03, which is higher than our requirement, add a simple reimplementation of it. Fixes commit 719d68fa247cc3885ecf7ec1c010faf83267d786. --- customize/SELinux_relabel.ml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index e7d440c29..7cc166edb 100644 ---

Trying to add SELinux support to my bitcoin package. Keep getting this on install: SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.29: No such file or directory /sbin/load_policy: Can't load policy: No such file or directory

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1212807 Since v1: - Combine the virt-builder detection code into virt-customize. - Enables us to delete Architecture and Uname modules completely. Rich.

A common problem that people have with virt-builder and virt-sysprep is which guests that use SELinux, like Fedora and RHEL. In both cases we touch /.autorelabel in the guest, which means the guest has to reboot once during its first boot. Recap: SELinux file labels -------------------------- SELinux requires that files have labels. Access to a file is controlled by the label on that file.

Also turns the --selinux option of guestfish, guestmount and virt-rescue into a no-op -- it didn't work before so this is effectively no change. --- builder/builder.ml | 6 ----- customize/customize_main.ml | 5 ---- dib/dib.ml | 6 ----- fish/fish.c | 5 ++-- fish/guestfish.pod | 2 +- fuse/guestmount.c | 5 ++--

Also turns the --selinux option of guestfish, guestmount and virt-rescue into a no-op -- it didn't work before so this is effectively no change. --- builder/builder.ml | 6 ----- customize/customize_main.ml | 5 ---- dib/dib.ml | 6 ----- fish/fish.c | 5 ++-- fish/guestfish.pod | 2 +- fuse/guestmount.c | 5 ++--

These patches update the example FLASK policy shipped with Xen and enable its build if the required tools are present. The third patch requires rerunning autoconf to update tools/configure. [PATCH 1/3] flask/policy: sort dom0 accesses [PATCH 2/3] flask/policy: rework policy build system [PATCH 3/3] tools/flask: add FLASK policy to build

v1 -> v2: - Add simple test of the setfiles API. - Use SELinux_relabel module in virt-v2v (instead of touch /.autorelabel). - Small fixes. Rich.

This shouldn't change the effect of this code. --- mlcustomize/SELinux_relabel.ml | 121 ++++++++++++++++++--------------- 1 file changed, 65 insertions(+), 56 deletions(-) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 44995df..5df1f08 100644 --- a/mlcustomize/SELinux_relabel.ml +++ b/mlcustomize/SELinux_relabel.ml @@ -28,65 +28,74 @@ module G = Guestfs

This implements the --selinux-relabel option for virt-customize, virt-builder and virt-sysprep. There is no need to autorelabel functionality now. Thanks: Stephen Smalley --- builder/Makefile.am | 1 + builder/virt-builder.pod | 20 +++++++++---------- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 46 +++++++++++++++++++++++++++++++++++++++++++

...thods, only blocking the background drb instance. Logs show no errors. Even more interesting is the fact that everything works fine on linux. Out of curiosity, I ran wireshark and think I''ve found the problem, truncated data. Here''s what was sent: 000000073..{.:.worker_method:.load_policies:.worker:.renewal_worker:.type:.do_wor which would explain why everything is blocked. Has anyone seen this behavior or have any thoughts on what is happening? Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/backgroundr...

These commands let you set and get the SELinux context of the daemon and all operations in the API and processes run from the daemon: $ ./fish/guestfish --ro -a /dev/mapper/vg_trick-F11x64 \ selinux 1 : \ run : \ mount /dev/vg_f11x64/lv_root / : \ sh "/usr/sbin/load_policy" : \ getcon : \ setcon "system_u:system_r:unconfined_t:s0" : \ getcon

I installed SeLinux in warn mode. HOw do i check to see what it is wanring about? This wil help me in make a decision to turn it to active mode..:) -- My "Foundation" verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their